General Terms of Use

Last update: 10.08.2020
Hello and welcome to the uhub Terms of Use (“Terms”). The following terms and conditions are important for the following reasons:
-They represent your rights to uhub
-They explain the rights you grant us when using uhub
-They shall determine how any dispute shall be settled by arbitration.

Introduction
The uhub.io ag (contractor) processes personal data for the customer (client).

The parties state that Regulation (EU) 2016/679 (Basic Data Protection Regulation “DS-GVO”) may apply to the agreed data processing (e.g. processing of personal data of persons residing in the EU). Therefore, the parties agree that the processing of personal data will take place on the basis of these Terms of Use, which take into account the provisions of the DS-GVO. Data processing must also ensure compliance with the relevant Swiss data protection regulations in accordance with the applicable Data Protection Act (DSG), insofar as these requirements are not fulfilled without compliance with the DS-GVO.

Subject
The subject matter of the contract results from the procedural description of the product uhub.io (“performance description”):

uhub.io is online software – also known as cloud software – and is independent of the operating system and platform. The software is operated via an Internet browser. uhub.io is a communication tool that enables the responsible person to record, share and plan his communication strategy in a structured manner. Furthermore, communication teams are collaboratively supported in the implementation of the communication strategy.

Duration
The order is placed for an unlimited period and can be terminated by either party at any time at the end of a month by observing a notice period of one month. If the "annual payment" option was selected when the contract was concluded, the contract can be terminated by either party by giving one month's notice to the end of the contract.The possibility of termination without notice remains unaffected.

Concretisation of the order content
1) Nature and purpose of the proposed processing of data
The subject of the order for data handling is the performance of the following tasks by the contractor:
Storage of the data for the provision of the services in accordance with the service description.
The performance of the contractually agreed data processing takes place in Switzerland. An adequate level of data protection was established by the EU Commission in a formal decision for Switzerland: 2000/518/EC.
2) Type of data
The contractor himself does not actively process personal data. Access to the data is only granted for the purpose of rectifying errors in accordance with the General Terms and Conditions. Within the scope of this error correction it is possible for the contractor to gain access to data of the client. Personal data may also be affected by this.
The Client confirms that the following non-exhaustive personal data may be the subject of processing.
– Clients
– interested parties
– staff
– suppliers
The customer shall ensure that no data is stored in accordance with Art. 9 DS-GVO. This includes the following data categories: 
Racial and ethnic origin / political opinions / religious or ideological beliefs / trade union membership / genetic data, biometric data for the unambiguous identification of a natural person, health data or data on sex life or sexual orientation. 
When storing such data, the contractor must be informed immediately. The contractor reserves the right in this case to terminate the contract immediately, unilaterally and without cost consequences.

Technical / Organizational Measures
1) The contractor has put the necessary technical and organisational measures into force before the start of processing.
2) The contractor has suffered the security in accordance with Art. 28 para. 3. c, 32 DS-GVO in particular in conjunction with Art. 5 para. 1, para. 2 DS-GVO. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 DS-GVO were taken into account.
3) The technical and organisational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the specified measures may not be undercut. Material changes must be documented.
If interested, the documentation of the technical and organisational measures can be requested by e-mail to privacy@uhub.io .

Correction, restriction and deletion of data
1) The contractor may not correct, delete or restrict the processing of the data processed on behalf of the client without authorisation, but only in accordance with the documented instructions of the client. If a person concerned directly contacts the Contractor in this respect, the Contractor shall forward this request to the Customer without delay.
2) Insofar as the scope of services covers, the deletion concept, right to be forgotten, correction, data portability and information shall be ensured directly by the Customer. The contractor shall support the client in the provision of these services in return for compensation.Quality Assurance and Other Duties of the Contractor.
In addition to compliance with the provisions of this contract, the Contractor shall have statutory obligations pursuant to Articles 28 to 33 DS-GVO; to this extent he shall in particular ensure compliance with the following requirements:
1) The contractor is not obliged to appoint a data protection officer in accordance with the DS-GVO. The contact person is Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland. This can be done under privacy@uhub.io.
2) Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 DS-GVO. When carrying out the work, the contractor shall only employ employees who are obliged to maintain confidentiality and who have been familiarised beforehand with the data protection provisions relevant to them.
3) The implementation of and compliance with all technical and organisational measures required for this assignment pursuant to Art. 28 para. 3 sentence 2 lit. c, 32 DS-GVO
4) Insofar as the Client is subject to inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party or any other claim in connection with the processing of the order by the Contractor, the Contractor shall support him to the best of his ability. The contractor shall be entitled to expense-based compensation for such assistance.
5) The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
6) Verifiability of the technical and organisational measures taken to the client within the scope of his control powers in accordance with section 8 of this contract.

Subcontracting relationships
1) For the purposes of this Regulation, subcontracting shall mean services which relate directly to the provision of the principal service. This does not include ancillary services which the contractor uses, e.g. as telecommunications services, postal/transport services, maintenance and user services or the disposal of data media as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. In order to guarantee the data protection and data security of the Customer’s data, the Contractor shall also take appropriate and legally compliant contractual agreements and control measures in the case of outsourced ancillary services.
2) The following subcontractors and subcontractors are involved in the provision of the services:
a) Google LLC (formerly known as Google Inc.),
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
Data Protection Officer:
https://support.google.com/cloud/contact/dpo
Services: Cloud Hosting Provider
Place of processing (address): Zurich (europe-west6), Switzerland
b) maatoo.io
Data protection officer: privacy@maatoo.io
Services: Marketing Automation
Place of processing (address): 55 weeks, Busswilstrasse 16, 3250 Lyss, Switzerland
c) Exoscale
Route de Marcolet 39. 1023 Crissier, Switzerland
Data Protection Officer: privacy@exoscale.ch
Services: Cloud Hosting Provider
Processing location (address): Eielen fort DKII, Attingshausen, Switzerland
Used by iod) Talcus SAS
24 rue Daudet, 91400 Saclay, France
Data Protection Officer: contact@talkus.io
Services: Chat service for the support of the responsible persons
Processing location (address): 24 rue Daudet 91400 Saclay (France)
e) Slack Technologies
500 Howard Street, San Francisco, CA 94105, USA
Data Protection Officer: dpo@slack.com
Services: Chat Collaboration Solution for centralizing support communication
Processing location (address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA
Used by: io
f) userpilot
Userpilot, Inc., 2035 Sunset Lake Road, Newark, Delaware 19702
Datenschutzbeauftragter: Yazan Sehwail, security@userpilot.io
Leistungen: Digital Adoption Platform
3) The subcontractors shall provide the ancillary services necessary for the proper and contractual functioning of the solution in relation to the main service. The client acknowledges this and expressly agrees to the awarding of the tasks described.
4) If the subcontractor renders the agreed service outside the EU/EEA or Switzerland, the contractor shall ensure compliance with data protection law by taking appropriate measures. The same shall apply if service providers within the meaning of para. 1 sentence 2 are to be employed.

Information of the client
1) The Contractor shall ensure that the Client can satisfy himself that the obligations of the Contractor under Art. 28 DS-GVO have been complied with. The Contractor undertakes to provide the Customer with the necessary information upon request.
2) Evidence of such measures may be provided by
a) compliance with approved rules of conduct pursuant to Art. 40 DS-GVO;
b) certification in accordance with an approved certification procedure pursuant to Art. 42 DS-GVO;
c) current certificates, reports or extracts of reports from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors);
d) a suitable certification through an IT security or data protection audit (e.g. according to BSI basic protection).
e) The contractor may claim remuneration for costs incurred by the contractor as a result of exercising the control rights and providing the required evidence.

Notification of infringements by the contractor
1) The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the DS-GVO regarding the security of personal data, reporting obligations in the event of data breakdowns, data protection impact assessments and prior consultations. These include, but are not limited to
a) ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible breach of rights due to security gaps and enable the immediate detection of relevant breach events
(b) the obligation to report infringements of personal data to the contracting authority without delay
(c) the obligation to assist the contracting entity in fulfilling its obligation to inform the person concerned and to provide him with all relevant information in this connection
(d) assisting the contracting authority with its data protection impact assessment
(e) assisting the contracting authority in prior consultations with the supervisory authority
2) For all support services which are not included in the service description or are not due to a misconduct of the contractor, the contractor can claim a remuneration.

Authority of the Customer to issue instructions
1) Oral instructions are confirmed by the client without delay (at least in text form).
2) The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the client.

Deletion and return of personal data
1) Copies or duplicates of the data will not be made without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory storage obligations.
2) Upon completion of the contractually agreed work or earlier upon request by the Customer – at the latest upon termination of the performance agreement – the Contractor shall hand over to the Customer all documents, processing and usage results as well as data stocks which have come into his possession and which are connected with the contractual relationship, or, after prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion protocol must be submitted upon request.
3) Documentation which serves as proof of orderly and proper data processing shall be stored by the Contractor beyond the end of the contract in accordance with the respective retention periods. He may hand them over to the Customer at the end of the contract for his relief.

Final provisions
1) This agreement does not replace any previous agreements.
2) Subsidiary agreements or amendments to this order must be made in writing.
3) References to laws, regulations, documents and appendices shall, unless expressly provided otherwise, apply to the laws, regulations, documents and appendices in their respective valid version, i.e. including any amendments after the contract date.
4) The annexes are an integral part of this contract. In the event of a contradiction between the provisions of the contract itself and its annexes, the provisions of the contract shall prevail. Mandatory legal regulations remain unaffected by this.
5) Should individual provisions of this contract be or become invalid or unenforceable, this shall not affect the validity of the remaining parts. In such a case, the parties undertake to replace the invalid or unenforceable provision with a provision that comes as close as possible to the intended purpose in a legally permissible manner; the same shall apply in the event of loopholes.
6) The client confirms that he fully complies with the provisions of the DS-GVO and the DSG and does not offer any content for processing which could constitute an infringement of the personal rights of the persons concerned.
7) In the external relationship, the Client shall be liable in accordance with the data protection liability provisions for damage caused by processing that does not comply with the law. The contractor shall only be liable for the damage caused by processing if he has not fulfilled his obligations under this contract or acted against the instructions of the client. Internally, the parties shall be liable for such damage in proportion to their share of the responsibility. If, in such a case, a person makes a full or predominant claim against one party for damages, the latter may claim indemnity or indemnity from the other party to the extent that this corresponds to his share of the responsibility.
8) As a company operating in Switzerland, the Contractor shall be exclusively accountable and answerable to the Swiss authorities. The support of or compliance with official or sovereign acts of foreign states and authorities is prohibited under criminal law (Art. 271 StGB).
9) Swiss law applies exclusively to this contract. Place of jurisdiction is Bern/BE.